[ previous ] [ next ] [ threads ]
 
 From:  wirzcat at att dot net (christopher)
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ad Blocking in m0n0wall
 Date:  Wed, 10 Nov 2004 14:56:31 +0000 
Even though I can get it to work on the Soekris/Monowall box, I am moving the ad-blocking to the
primary server.  Only takes a minute to set up the proxy.  I must agree with some of the comments
that once my firewall is set and working, I don't want to alter or modify it.  



 -------------- Original message ----------------------
From: Chris Buechler <cbuechler at gmail dot com>
> This thread has been beaten to death, but I'll throw in my 2 cents anyway.
> 
> 
> On Wed, 10 Nov 2004 09:01:33 +0100, Vincent Fleuranceau
> <vincent at bikost dot com> wrote:
> > -------- Original Message --------
> > 
> > > Blocking of ad's along with www sites that are not needed in a business
> > > should always take place at the edge (firewall), allowing this sort of
> > > traffic to the inside is really BAD, it can allow all sorts of bad things to
> > > happen at the workstation level and depending on users to do the right
> > > thing? .. We have loaded on m0n0wall the whole list of blocks and find that
> > > yes it does take 20 sec longer to load the firewall from a reload but its
> > > still under a min to come back up . Heck how many PIX's can say that ..
> 
> I haven't timed it, but I think my PIX takes ~30 seconds to reload
> (definitely less than a minute).  m0n0wall does boot very quickly, but
> a PIX is a bad comparison.  :)  But considering you should only need
> to reboot your m0n0wall for upgrades or in the case of power failures
> (if you don't have a UPS), this is a moot point, IMO.
> 
> 
> > > Memory? .. We have found that 256megs of memory handles just about anything
> > > we can throw at the firewall .. Running P3 800's on the Firewalls and they
> > > barely see 5% CPU usage most of the day.
> > >
> > > Block at the edge is my vote.
> > >
> 
> I'd much rather use client side blocking personally, but with a
> network with users that's not really a viable option.  If you rely on
> a user to do anything you can ensure that control won't work the vast
> majority of the time.
> 
> The problem with blocking domains by redirecting to 127.0.0.1 is that
> browsers tend to act weird when an image can't be loaded from a server
> they can't contact.  Sometimes it causes the page to load very slowly
> (waiting for a timeout), IE for the folks that insist on using it
> makes you hit the back button twice on any pages that have images
> blocked like that, etc.  Setting it to the IP of a web server on your
> LAN that serves either completely blank white or black pages for 404's
> is a much better solution though it's still not ideal.
> 
> The nice thing about AdBlock in FireFox is it'll remove the whole
> space the ad should have taken, or iFrames when they're used, and
> doesn't have the problem I just described.  AdBlock also allows much
> finer grained control over what you do and don't block.  It'd be nice
> to see a corporate AdBlock that'll pull its block list from a central
> location.
> 
> > 
> > What about Soekris net4501 boxes with 133 MHz CPU and 64 Mb RAM?
> > 
> > 
> 
> Depends on how much RAM you have available, which depends on what
> services you're using.  Obviously throwing a few hundred or thousand
> DNS overrides in your config is going to eat up some RAM.  But my
> 4501's, which run quite a few services, run at 40-45% RAM utilization
> or less, so you figure you should be able to hold a ton of DNS entries
> in the remaining ~20 MB RAM you could use (being conservative, leaving
> plenty for any peak needs you may have and for upgrades via the webGUI
> which requires a few MB).
> 
> -Chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>